Microsoft Intune NDES Connector Setup Wizard Ended Prematurely

A Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients. In addition, the Microsoft Intune Connector must be installed and configured on the NDES server to allow Intune-managed clients to request and receive certificates from the on-premises Certification Authority (CA) server.

Setup Wizard Ended Prematurely

When installing the Microsoft Intune Connector, the administrator may encounter a scenario where the setup wizard fails with the following error message.

“Microsoft Intune Connector Setup Wizard ended prematurely because of an error. Your system has not been modified. To install this program at a later time, run Setup Wizard again. Click the Finish button to exit the Setup Wizard.”

Cryptographic Service Provider

This error can occur if the NDES server certificate template is configured to use the Key Storage Provider cryptography service provider (CSP). When configuring the certificate template for the NDES server, the Legacy Cryptography Service Provider must be used, as shown here.

8 Comments

Nat

It was a long time ago, I had separate server and client certificates, and seem to recall when I changed the client certificate template back to legacy, re issued that cert and tried the install it all sprung to life and the connector install completed.

Victor

Hello Richard, thanks for your insight as always!!. referencing your statement “A Windows Server with the Network Device Enrollment Service (NDES) role can be provisioned on-premises to support certificate deployment for non-domain Windows 10 Always On VPN clients” i have these questions:

1. Can non-Microsoft Clients (E.g. Android Devices) be used with a Full Microsoft Stack AONVPN setup i.e. RRAS, NPS, ADCS? i have a client who is planning to roll out android devices but not sure if this will work with AONVPN.

2. If the above is possible, is the experience “Always On”?

I read somewhere where you state that Always ON VPN does not support any other clients except windows 10 (Not even windows 7), so this particular scenario you are describing seems a bit confusing. hope yo can help shed more light

Windows 10 Always On VPN is strictly a Microsoft Windows 10 solution. However, if you’ve configured the VPN server to support IKEv2, which is a public standard, it is interoperable with many platforms including Android. However, the “Always On” bit is exclusive to Windows 10. While you can configure a non-Microsoft device to connect to the same VPN server as Windows 10 Always On VPN clients (assuming you are using the same authentication scheme) the non-Windows clients will not connect automatically (unless those platforms have something similar, of course).

Victor Bassey

I wanted to add something I found on reddit that fixed my issue. Even though my account is an admin on the server, when I right click ‘run as administrator’ it installed. Just regular running gave me the premature error.

Also, thank you Mr. Hicks for all the wonderful help. Your site is amazing.